postgresgrant: New controller, supporting PostgreSQL GRANTs.

Preliminary support for GRANTs. Note that this is currently
experimental, and operates in non-authoritative mode. It will only GRANT
but not REVOKE previously granted privileges.

Author: yjwong

PROJECT

@@ -25,4 +25,16 @@ resources:
   kind: PostgresPublication
   path: github.com/glints-dev/postgres-config-operator/api/v1alpha1
   version: v1alpha1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: glints.com
+  group: postgres
+  kind: PostgresGrant
+  path: github.com/glints-dev/postgres-config-operator/api/v1alpha1
+  version: v1alpha1
+  webhooks:
+    validation: true
+    webhookVersion: v1
 version: "3"

api/v1alpha1/postgresgrant_types.go

@@ -0,0 +1,151 @@
+/*
+Copyright 2021.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1alpha1
+
+import (
+	"github.com/jackc/pgx/v4"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// NOTE: json tags are required.  Any new fields you add must have json tags for the fields to be serialized.
+
+// PostgresGrantSpec defines the desired state of PostgresGrant
+type PostgresGrantSpec struct {
+	// INSERT ADDITIONAL SPEC FIELDS - desired state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+
+	// PostgresRef is a reference to the PostgreSQL server to configure
+	PostgresRef PostgresRef `json:"postgresRef"`
+
+	// Role to grant privileges to
+	Role string `json:"role"`
+
+	// Tables is the list of tables to grant privileges for
+	Tables []PostgresIdentifier `json:"tables,omitempty"`
+
+	// TablePrivileges is the list of privileges to grant
+	// Must be one of: SELECT, INSERT, UPDATE, DELETE, TRUNCATE, REFERENCES, TRIGGER, ALL
+	TablePrivileges []string `json:"tablePrivileges,omitempty"`
+
+	// Sequences is the list of sequences to grant privileges for
+	Sequences []PostgresIdentifier `json:"sequences,omitempty"`
+
+	// SequencePrivileges is the list of privileges to grant
+	// Must be one of: USAGE, SELECT, UPDATE, ALL
+	SequencePrivileges []string `json:"sequencePrivileges,omitempty"`
+
+	// Databases is the list of databases to grant privileges for
+	Databases []string `json:"databases,omitempty"`
+
+	// DatabasePrivileges is the list of privileges to grant
+	// Must be one of: CREATE, CONNECT, TEMPORARY, TEMP, ALL
+	DatabasePrivileges []string `json:"databasePrivileges,omitempty"`
+
+	// Schemas  is the list of schemas to grant privileges for
+	Schemas []string `json:"schemas,omitempty"`
+
+	// SchemaPrivileges is the list of privileges to grant
+	// Must be one of: CREATE, USAGE, ALL
+	SchemaPrivileges []string `json:"schemaPrivileges,omitempty"`
+
+	// Functions  is the list of functions to grant privileges for
+	Functions []PostgresIdentifier `json:"functions,omitempty"`
+
+	// FunctionPrivileges is the list of privileges to grant
+	// Must be one of: EXECUTE, ALL
+	FunctionPrivileges []string `json:"functionPrivileges,omitempty"`
+}
+
+// PostgresGrantStatus defines the observed state of PostgresGrant
+type PostgresGrantStatus struct {
+	// INSERT ADDITIONAL STATUS FIELD - define observed state of cluster
+	// Important: Run "make" to regenerate code after modifying this file
+}
+
+//+kubebuilder:object:root=true
+//+kubebuilder:subresource:status
+
+// PostgresGrant is the Schema for the postgresgrants API
+type PostgresGrant struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   PostgresGrantSpec   `json:"spec,omitempty"`
+	Status PostgresGrantStatus `json:"status,omitempty"`
+}
+
+// PrivilegesForType returns the list of privileges defined for a given object
+// type within the grant. If the object type is invalid, nil is returned.
+func (g *PostgresGrant) PrivilegesForType(o ObjectType) []string {
+	switch o {
+	case ObjectTypeTable:
+		return g.Spec.TablePrivileges
+	case ObjectTypeSequence:
+		return g.Spec.SequencePrivileges
+	case ObjectTypeFunction:
+		return g.Spec.FunctionPrivileges
+	case ObjectTypeSchema:
+		return g.Spec.SchemaPrivileges
+	case ObjectTypeDatabase:
+		return g.Spec.DatabasePrivileges
+	}
+
+	return nil
+}
+
+// IdentifiersForType returns the list of identifiers defined for a given object
+// type within the grant. If the object type is invalid, nil is returned.
+func (g *PostgresGrant) IdentifiersForType(o ObjectType) []pgx.Identifier {
+	var identifiers []pgx.Identifier
+	switch o {
+	case ObjectTypeTable:
+		for _, table := range g.Spec.Tables {
+			identifiers = append(identifiers, pgx.Identifier{table.Schema, table.Name})
+		}
+	case ObjectTypeSequence:
+		for _, sequence := range g.Spec.Sequences {
+			identifiers = append(identifiers, pgx.Identifier{sequence.Schema, sequence.Name})
+		}
+	case ObjectTypeFunction:
+		for _, function := range g.Spec.Functions {
+			identifiers = append(identifiers, pgx.Identifier{function.Schema, function.Name})
+		}
+	case ObjectTypeSchema:
+		for _, schema := range g.Spec.Schemas {
+			identifiers = append(identifiers, pgx.Identifier{schema})
+		}
+	case ObjectTypeDatabase:
+		for _, database := range g.Spec.Databases {
+			identifiers = append(identifiers, pgx.Identifier{database})
+		}
+	}
+
+	return identifiers
+}
+
+//+kubebuilder:object:root=true
+
+// PostgresGrantList contains a list of PostgresGrant
+type PostgresGrantList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []PostgresGrant `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&PostgresGrant{}, &PostgresGrantList{})
+}

api/v1alpha1/postgresgrant_types_test.go

@@ -0,0 +1,97 @@
+package v1alpha1
+
+import (
+	"net/http"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+var _ = Describe("PostgresGrant: Webhooks", func() {
+	type testCase struct {
+		Name           string
+		Spec           PostgresGrantSpec
+		ErrExpected    bool
+		ExpectedCode   int32
+		ExpectedReason metav1.StatusReason
+	}
+
+	testCases := []testCase{
+		{
+			Name: "should fail to validate if ALL is specified along other operations",
+			Spec: PostgresGrantSpec{
+				Tables: []PostgresIdentifier{
+					{Name: "jobs", Schema: "public"},
+				},
+				TablePrivileges: []string{"SELECT", "ALL"},
+			},
+			ExpectedCode:   http.StatusForbidden,
+			ExpectedReason: "\"ALL\" cannot be specified alongside other privileges",
+		},
+		{
+			Name: "should fail to validate with duplicate table privileges",
+			Spec: PostgresGrantSpec{
+				Tables: []PostgresIdentifier{
+					{Name: "jobs", Schema: "public"},
+				},
+				TablePrivileges: []string{"SELECT", "SELECT"},
+			},
+			ExpectedCode:   http.StatusForbidden,
+			ExpectedReason: "duplicate table privilege \"SELECT\"",
+		},
+		{
+			Name: "should fail to validate with invalid table privileges",
+			Spec: PostgresGrantSpec{
+				Tables: []PostgresIdentifier{
+					{Name: "jobs", Schema: "public"},
+				},
+				TablePrivileges: []string{"DUMMY"},
+			},
+			ExpectedCode:   http.StatusForbidden,
+			ExpectedReason: "invalid table privilege \"DUMMY\"",
+		},
+	}
+
+	It("should succeed validation with valid privilege declaration", func() {
+
+		grant := &PostgresGrant{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "grant-test",
+				Namespace: "default",
+			},
+			Spec: PostgresGrantSpec{
+				Tables: []PostgresIdentifier{
+					{Name: "jobs", Schema: "public"},
+				},
+				TablePrivileges: []string{"SELECT", "UPDATE"},
+			},
+		}
+
+		err := k8sClient.Create(ctx, grant)
+		Expect(err).NotTo(HaveOccurred())
+	})
+
+	for _, testCase := range testCases {
+		testCase := testCase
+		It(testCase.Name, func() {
+			grant := &PostgresGrant{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "grant-test",
+					Namespace: "default",
+				},
+				Spec: testCase.Spec,
+			}
+
+			err := k8sClient.Create(ctx, grant)
+			Expect(err).To(HaveOccurred())
+
+			statusErr, ok := err.(*errors.StatusError)
+			Expect(ok).To(BeTrue())
+
+			Expect(statusErr.ErrStatus.Code).To(BeEquivalentTo(testCase.ExpectedCode))
+			Expect(statusErr.ErrStatus.Reason).To(Equal(testCase.ExpectedReason))
+		})
+	}
+})